Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.
AnalysisAI
Signal K Server versions before 2.25.0 allow remote unauthenticated attackers to crash the server via Regular Expression Denial of Service (ReDoS) in WebSocket subscription handling. By injecting unescaped regex metacharacters into the context parameter, attackers trigger catastrophic backtracking that consumes 100% CPU and renders the server completely unresponsive to all API and socket requests. This creates a complete denial of service for marine navigation systems relying on Signal K Server as their central data hub. While EPSS score is low (0.04%, 13th percentile), the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) and complete availability impact make this a priority for boat operators running vulnerable versions. No public exploit identified at time of analysis, but the GitHub security advisory provides clear technical details. Vendor-released patch available in version 2.25.0.
Technical ContextAI
Signal K Server is a Node.js-based application that serves as a centralized data hub for marine vessels, aggregating sensor data, GPS, AIS, and other navigation information via standardized protocols. This vulnerability exploits algorithmic complexity in regular expression evaluation-specifically, the WebSocket subscription handler fails to sanitize regex metacharacters in the context parameter before using it to match against UUID strings. When an attacker provides input designed to cause catastrophic backtracking (a known ReDoS pattern), Node.js's single-threaded event loop becomes blocked in exponential-time regex evaluation. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), reflecting the lack of input validation and resource limits on regex operations. The affected component is the subscription filtering logic that matches incoming data streams to client subscriptions, a core function executed on every WebSocket message. The CPE identifier cpe:2.3:a:signalk:signalk-server confirms this is specific to the Signal K Server product, not the broader Signal K protocol or client implementations.
RemediationAI
Upgrade immediately to Signal K Server version 2.25.0 or later, released by the vendor with commit 215d81eb700d5419c3396a0fbf23f2e246dfac2d (https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d) and merged via pull request #2568. The fix implements proper input sanitization for regex metacharacters in WebSocket subscription context parameters. Download from official release page: https://github.com/SignalK/signalk-server/releases/tag/v2.25.0. For installations unable to upgrade immediately, implement network-level access controls to restrict WebSocket connections to trusted IP addresses only-configure firewall rules to block external access to Signal K Server ports (typically 3000/tcp) and require VPN or local network access. This workaround significantly reduces attack surface but requires careful network segmentation planning to maintain legitimate remote monitoring capabilities. Alternatively, deploy a reverse proxy (nginx, HAProxy) with request rate limiting and WebSocket message size restrictions as a temporary measure, though this adds complexity and may impact legitimate high-frequency data streams. Note that disabling WebSocket functionality entirely breaks core Signal K Server functionality and is not a viable long-term mitigation. All marine operators should validate patch deployment and monitor CPU utilization for anomalous spikes indicating potential exploitation attempts.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24021
GHSA-7gcj-phff-2884